Cryptech The Open Hardware Security Module Platform Joachim - - PowerPoint PPT Presentation

Cryptech

The Open Hardware Security Module Platform

::1

Open Crypto Hardware CPU design Assembly hacking Joachim Strömbergson Assured AB https://github.com/secworks IT security Embedded systems ASIC, FPGA Biometrics

Hardware Security Modules Black Boxes FTW

Hardware Security Module (HSM)

• Dedicated appliance for cryptographic operations
• Generate, use and store secrets (private keys in PKI)
• Protect secrets
• Offload sensitive operations from general systems
• Crypto acceleration
• Very expensive
• Very few vendors
• National interests – strong connections to agencies

Hardware Security Module (HSM)

Storage of private keys, secrets

CPU Crypto acceleration Random Number Generator (RNG) Random physical process Management interface Application interface PKCS#11 Physical enclosure

Hardware Security Module (HSM)

• PKCS#11
• Public Key Crypto Standard. And API
• Object types for RSA keys, X.509 Certificates
• Generate, Sign, Seal, Verify, Export
• RSA Security, now OASIS
• NIST FIPS 140-2, 140-2, Common Criteria, NIST SP 800-90, BSI AIS31

IBM 4758 PCI HSM

The random-number generators used for key generation are fatally flawed, and have generated real certificatescontaining keys that provide no security whatsoever.

Dual_EC_DRBG in SP 800-90

Faulty RSA key generation (ROCA) in Secure Element chips from Infineon. >1 Billion(!) devices affected globally

HSM Vulnerabilities

• CVE-2015-5464: SafeNet Luna remote key export restriction bypass
• CVE-2015-1878: Thales nShield arbitrary sign, key extract

The Cryptech Project Towards Open HSMs

The Cryptech Project

• Multi-year effort to move towards an open HSM platform developed using
• pen, auditable and trusted tools.
• Started at the suggestion of Russ Housley, Jari Arkko, and Stephen Farrel of

the IETF to meet the assurance needs of supporting IETF protocols in an

• pen and transparent manner.
• Composable, e.g. "Give me a key store and signer suitable for DNSsec“
• Reasonable assurance by being open, diverse design team
• Core team from Sweden, Russia, USA, Germany, Japan, Ireland
• Open development, signed commits to Git repos etc

The Cryptech Project

• 2-clause BSD license for all SW, FPGA source code
• All cores for crypto acceleration in HW (AES, SHA-256, RSA, EC)
• Creative Commons for all drawings, documents
• PCB layout, Bill of Materials (BoM)
• Repos accessible via trac: https://trac.cryptech.is/’
• Maillists: https://trac.cryptech.is/wiki/MailingLists
• Step by step towards open toolchain
• Goal is to be able to do reproducible builds, traceable builds

The Cryptech Project

• Verilog (2001) for all FPGA cores
• Functional models in C, Python, Verilog
• Icarus Verilog, Verilator used for simulations, linting
• C, asm, Python, Bash, Make for SW and integration
• Mainly GCC. Some Clang/llvm for static analysis etc
• OpenOCD for debug, FW download etc

Terasic DE0-Nano

• Very simple, cheap FPGA with Altera/Intel Cyclone device
• Cheap and easy to use.
• Used to develop first cores and core test system
• Slow and not very open platform
• Intel/Altera tools required

• Quad Core Cortex A9 MCU @ 1.2 GHz
• BLOB-free firmware and SW
• Xilinx Spartan-6 FPGA
• Huge number of interfaces, peripherals

http://www.kosagi.com/w/index.php?title=Novena_Main_Page

The Novena Open Laptop by Bunnie Huang

CrypTech Noise Boards

The Cryptech TRNG

CrypTech Bridge Board

The Cryptech Alpha board Our current platform

The Cryptech Alpha Board

The CrypTech Alpha Board

• ARM Cortex M4F based main CPU (STM32F429)
• Xilinx Artix-7 T200 FPGA
• AVR 8-bit MCU for tamper protection
• PKCS#11 and management SW developed by the project
• Comprehensive set of FPGA cores developed by the project
• RSA, EC, AES, ChaCha
• SHA-1, SHA-2, SHA-3
• Keywrap, TRNG
• SPI master, external interfaces, GPIOs

The CrypTech Alpha Board

• Complete HSM design usable for PKCS#11 applications
• Usable for people that are used to handle PCBs, like electronics
• Really good random number generator
• Extensively evaluated (in-house, Cisco etc)
• FPGA development requires tools from FPGA vendor Xilinx
• Free as in beer, but not open, not auditable
• FPGA core simulation done using open tools
• Icarus Verilog, Verilator
• PCB design using commercial tool from Altium
• Design has been converted to KiCAD after Alpha completion
• All SW developed using open tools
• GCC, Clang/LLVM, OpenOCD etc

The Xilinx Vivado IDE is 20 GBytes

RSA ModExp RSA ModExp RSA ModExp RSA ModExp SHA-256 ECC TRNG KEY WRAP Noise source Tamper AVR Tamper detect PKCS#11 Mgmnt MCU Storage Application PKCS#11 Management FPGA FMC MKM SRAM

The CrypTech Alpha Board

• The MCU – FPGA bus FMC is a performance bottleneck
• Long latency and low capacity (clock speed, data width)
• All cores are slaves. CPU needs to do R-W to move data (over FMC)
• A lot of crypto functionality still in the MCU
• Chinese Remeinder Theorem (CRT) for RSA key generation
• Secrets are exposed in the MCU, secrets move across the FMC
• The MCU is not an open design
• A lot of kitchen sinks (peripherals, functionality) not needed,

not trusted

Performance, security and openess can be improved

Master Key Memories Your black box has black boxes inside

Tamper response, root of trust

• Secrets are stored in flash memory
• Keys in storage are encrypted (wrapped)
• RFC 5649 AES-KEYWRAP, RFC 5297 AES-SIV-CMAC
• The key used to wrap secrets is called Master Key or

Key Encryption Key (KEK)

• Single point of failure – Losing the KEK means that secrets are lost
• Used to implement rapid tamper response
• KEK is zeroised when a tamper event is detected
• Master Key Memory and detection circuit is powered by battery

KEK storage – Security Managers

• Specialized, low power chips
• BGAs, no external components, internal clocks
• Implements functions for detection of tamper events
• Switches, ĺight sensors, movement, temperature
• RAM based key storage with imprinting, remanence protection
• Key rotation, key inversion
• Often combined with authentication, root of trust functions
• HMAC-SHA256 or PKI based
• Commercial devices with few vendors
• Maxim DeepCover
• NDAs required, info hard to get
• They are black boxes too!

KEK storage in Cryptech

• The KEK is the key to the protection of stored secrets
• Having a black box as the fundamental part of the security is NOT accepted
• Master Key Memory is a standard, serial SRAM
• Power supply connected to tamper switches
• Tamper control is a low power, 8-bit AVR processor
• Can be powered by a battery
• Tamper FW developed by the Cryptech project using open tools (AVR-GCC)
• Not very fast, not integrated with the memory – but open

We are working on a much better solution

Cryptech Status What we do right now What we will do

Accomplishments 2018

• Performance Improvements
• Revising and updating implementation to improve performance
• Steps towards improved security. FPGA implementation of RFC 5649 AES-KEYWRAP
• Hash-based Signatures
• Implementation of David McGrew’s hash-based signature draft:

https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs/?include_text=1

• Quantum resistant signature scheme with potential uses in signing code updates
• Ed25519 HW core
• Edwards-curve signature algorithm
• Crypto implementation done, working on drivers
• Could implement x25519 without a lot of additional effort if needed

Accomplishments 2018

• External Security Code Audit
• Completed in September of this year
• Cure53 report is on our website: https://cryptech.is/2018/10/external-security-audit-completed/
• No critical vulnerabilities
• Identified vulnerabilities fixed by year-end

Ongoing developments

• Performance Improvements
• Totally new RSA core architecture is being developed

(10x – 20x seems possible)

• Hunting latencies for FPGA – SW communication
• Endian conversion in SW being moved to HW in the FPGA
• We can do memcpy() now
• Improving FPGA clock speed through floorplanning
• 100+ MHz

Committed last night

Ongoing developments

• Security improvements
• Moving SW crypto processing into the FPGA
• PKCS#11 and management still in the STM32 MCU
• Adding DMA engine inside FPGA for core – core transfer
• Eliminate transfer of sensitive data across the FMC bus
• Reproducible builds for releases
• MCU, FPGA, Tamper

Open Master Key Memory

• Develop an open MKM, implemented in a FPGA
• Lattice iCE40 – no external config mem, very lower power consumption
• BGA device that can be mounted on PCB back to back with main FPGA
• Active tamper detection with ns tamper response time
• Zeroisation of KEK with remanence/imprinting protection
• Open toolchain and auditable FPGA bitstream
• http://www.clifford.at/icestorm/

Alpha v2, Alpha NG, Beta - something

• Integrate the MCU into the FPGA – using open RISC-V cores
• Looking at VexRisc and Western Digital Swerv cores
• Rearchitect the FPGA DMA engine to allow core-core transfers
• Integrate new RSA cores when completed
• Integrate FPGA based MKM with no exposed wires

to the main FPGA.

• Integrate small RISC-V in FPGA based Master Key Memory to add

tamper functionality, root of trust (PicoRV32)

Alpha v2, Alpha NG, Beta - something

• Openness Improvements
• No proprietary MCU – RISC-V is the open future
• Open Master Key Memory, root of trust
• We still need use proprietary tools for the main FPGA
• Cost and size improvements
• Remove several components (the MCU being most costly)
• Reduce the PCB dimensions
• Cost reduction probably used to buy FPGA with better speed grade

http://www.clifford.at/papers/2018/nextpnr/slides.pdf - NextPnR FOSS FPGA Place & Route https://symbiflow.github.io/ - SymbiFlow - open source FPGA tooling for rapid innovation

RSA ModExp RSA ModExp RSA ModExp RSA ModExp SHA-256 ECC TRNG KEY WRAP Buffers DMA RISC-V Noise source FPGA MKM Tamper sensors PKCS#11 MCU Storage Application PKCS#11 Management Reachitected FPGA FMC

Cryptech as an open platform

• Diamond-HSM
• First commercial HSM based on Cryptech
• Developed, manufactured by Diamond Key Security (DKS)
• Founded by people from Internet orgs. Focus on Internet infrastructure, research
• First machines delivered. Used for DNSSEC, Federated Identity Management
• TorHSM
• Developing dedicated Tor Directory Authorities (DAs)

based on the Cryptech Alpha

• Adding PCIexpress – USB bridge
• Board 1mm smaller to fit inside a host PC
• Removing tamper-MCU, current FTDI interface chips, headers, power supply
• https://trac.cryptech.is/wiki/ExternalProjectsTorHSM

• Trustworthy Hardware Security Module
• Low cost, open-source solution utilizing two CrypTech

modules for speed and redundancy

• High entropy, True Random Number Generator (TRNG)

for secure cryptography

• Rugged, tamper-resistant housing
• 1U 19” rack-mountable network appliance with USB

and Ethernet interfaces

• Two (2) embedded CrypTech modules
• PKCS#11 API implementation supporting standard

applications e.g. OpenDNSSEC and BIND for DNS zone signing for DNSSEC

• Product availability 1H 2019

Diamond-HSM

TM

24th September, 2018 47 Diamond Key Security: a safer, more open, trusted Internet

Thanks to the Cry ryptech Funders!

www.assured.se вопросы

www.assured.se

Tack!